Credential-based attacks are one of the most common forms of cybercrime. Because using stolen credentials to access sensitive information is a low-risk, high-reward venture, cybercriminals will often target passwords as a standard attack vector. In Verizon’s latest Data Breach Investigations Report (DBIR), researchers confirmed that passwords are among the most popular targets in cyberattacks – more popular than financial, medical, and personal data.  

A common credential-focused cyberattack is known as “credential stuffing.” This involves the use of automated scripts, combined with lists of illicitly obtained credentials (via the dark web or by other means), to quickly test a user’s password across many different online services. This practice is much more efficient than typical brute-force password attacks, during which a malicious actor will run software that automatically generates and attempts to log in with new passwords (sometimes informed by which passwords are most used – this practice specifically is known as “password spraying”) until the hacker gains access to the account. 

How have governments tried to protect credentials? 

Credential security is one of the foremost lines of defense that government leaders can leverage in response to cyberthreats. With the highly sensitive information that can be acquired by using an administrator’s credentials, governments find themselves obliged to develop certain protocols for compliance to make sure organizations are protected against system intrusions.  

There are several examples of government leaders taking steps to safeguard electronic credentials, such as the following: 

Health Insurance Portability and Accountability Act (HIPAA) 

HIPAA is one of the most prominent examples of a federally regulated credential security protocol. A large part of HIPAA’s impact lies in its Security Rule, which is designed to “protect the privacy of individuals’ health information while allowing covered entities to adopt new technologies to improve the quality and efficiency of patient care.” While the act’s Privacy Rule protects the privacy of individually identifiable health information, the Security Rule focuses on this information in its electronic form.  

The Security Rule gives covered entities, such as doctor’s offices and insurance companies, a decent amount of freedom in how they handle electronic protected health information (e-PHI). Organizations that must comply with the rule are free to determine the size, complexity, and capability of their credential security system, if it adequately guarantees the safety of e-PHI. A clause on transmission security states that “a covered entity must implement technical security measures that guard against unauthorized access to e-PHI that is being transmitted over an electronic network.” 

General Data Protection Regulation (GDPR) 

In the European Union, cybersecurity authorities have established several regulations designed to ensure the security of confidential credential information. Among these regulations is the General Data Protection Regulation (GDPR), which requires any organization handling the information of E.U. citizens to implement “appropriate technical and organizational measures” to handle data securely and respond appropriately to data breaches. 

Violating GDPR rules can cause an organization to be fined up to 10 million euros, or up to two percent of the organization’s global turnover. On the specific subject of credential security, the EU Cybersecurity Agency (ENISA) suggests organizations use two-factor authentication to boost compliance with the act. Two-factor authentication provides an added layer of account security by requiring more than just a password. It often involves sending messages containing a verification code to a user’s phone or email and requiring the user to submit this code in addition to their password. 

What safeguards can regulators take? 

Two-factor authentication is just one of several measures regulators can take to protect passwords and other private information on their servers and in their transmissions. A subset of two-factor authentication is the field of biometrics, which uses a piece of technology to verify something physical about the user, like their fingerprint or their facial scan, guaranteeing that only the user can access sensitive or locked information. 

Regulators can even boost credential security by taking care with the design and function of their login pages. For example, a login page that prints an error message in response to an incorrect login can avoid giving hackers valuable information simply by printing a vague message that does not let the user know whether their login username or email is in their system. Just by reading error messages, cybercriminals can glean valuable information about which users are registered with which services. 

As with most cybersecurity threats, one of the best preventive measures regulators can take to avoid credential-focused attacks is thoroughly training their staff on the nature of these intrusions and the steps they can take to keep themselves safe. By discouraging employees from using the same password on multiple services, and by encouraging them to use complex, unique passwords, government leaders can substantially curb one of the fastest-rising threats in cybersecurity. It will, however, always require a combination of human and technical approaches for regulators to protect their users’ private credential information.